Cyber Resilience

CVE-2022-4681

CriticalPublic PoC

Published: 06 February 2023

Published
06 February 2023
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0720 91.8th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4681 is a critical-severity an unspecified weakness vulnerability in Wpwave Hide My Wp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Hide My WP WordPress plugin before version 6.2.9 contains a SQL injection vulnerability. The issue stems from insufficient sanitization and escaping of a parameter passed to a SQL statement inside an AJAX action, allowing direct manipulation of database queries.

Unauthenticated attackers can reach the vulnerable AJAX endpoint over the network without any credentials or user interaction. Successful exploitation can yield full read, write, and delete access to the database, corresponding to the CVSS 9.8 rating that reflects high impact across confidentiality, integrity, and availability.

The issue is documented in the WPScan advisory linked in the references, which identifies the affected plugin versions and the specific injection vector.

EPSS remains flat at 0.0720 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpwave
hide my wp
≤ 6.2.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References